VPN Tunnel between Cisco 877 ADSL Modem and Watchguard Firebox X1000 not passing traffic one way

Posted on 2006-04-06
Last Modified: 2012-06-21
I have a VPN Tunnel setup with a Firebox X1000 at my main site, and a Cisco 877 at my remote site. When traffic is initiated from the cisco side the tunnel comes up fine and traffic can pass both ways with no issue. When the cisco side is idle for a given amount of time the tunnel goes down and the firebox will not initiate it even if I try to access the 877 segment. The packets never make it past the firebox. But when the cisco side pings, the packets make it to the firebox and back.

Here is the log from my firebox...

04/06/06 10:54  iked[157]:  FROM  71.***.**.*** MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR   ISA_SA ISA_VENDORID
04/06/06 10:54  iked[157]:  Rejecting peer XAUTH request: not configured
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR   ISA_KE ISA_NONCE NAT-D NAT-D
04/06/06 10:54  iked[157]:  CRYPTO ACTIVE after delay
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** MM-HDR*  ISA_ID ISA_HASH ISA_NOTIFY
04/06/06 10:54  iked[157]:  Received INITIAL_CONTACT message, mess_id=0x00000000
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR*  ISA_ID ISA_HASH
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
04/06/06 10:54  iked[157]:  Phase 1 completed as responder
04/06/06 10:54  iked[157]:  Deleting old phase 1 SA for 71.***.**.***
04/06/06 10:54  iked[157]:  Deleting SA: peer        71.***.**.***
04/06/06 10:54  iked[157]:               my_cookie   9E**************
04/06/06 10:54  iked[157]:               peer_cookie 00**************
04/06/06 10:54  iked[157]:  ipsec_cancel_acquire: Called as Initiator
04/06/06 10:54  iked[157]:  Cancelled acquire for channel (9)
04/06/06 10:54  iked[157]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=68.***.**.**, raddr=71.***.**.***
04/06/06 10:54  iked[157]:  TO    71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH
04/06/06 10:54  iked[157]:  Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_SHA1 Life=3600sec/4608000KB SPI=32BAB33C
04/06/06 10:54  iked[157]:  Load inbound  ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_SHA1 Life=3600sec/4608000KB SPI=0F04D62D
04/06/06 10:54  iked[157]:  Tunnel created for <->
04/06/06 10:54  iked[157]:  Committing SAs for channel=9 established with QM message_id=917E8CE1
04/06/06 10:54  kernel:  ipsec: make bundle for channel 9, 1 in SA's, 1 out SA's
04/06/06 10:54  kernel:  ipsec: Removing old input bundle

Any one have any ideas as to why? I have a ticket open with cisco but they are saying it is my firebox. I do not carry a service contract with watchguard because I am trying to get all of my equipment over to cisco.

Also... Tracert stops at my firebox and goes no further. That is when the firebox tries to initiate the tunnel with the cisco 877.
Also.... None of the pcs on the cisco 877 side can access the internet? I am not sure if this has anything to do with the resolve.
Question by:_SKIN_
    LVL 15

    Accepted Solution

    That log seems to show a tunnel being set up and not showing the problem.

    One thing that could do as you describe is if Perfect Forward Secrecy (PFS) is enabled on the Firebox and not on the Cisco. Check your IPSEC/Phase 2 configurations on each - they must match!

    Your internet access problem with the 877 could possibly be an access-list/NAT mis-configuration. I suggest you raise another question for this with a "safe" (public IP addresses and passwords masked) copy of the configuration.

    Author Comment

    I figured it out... The diffie helmen group was set to group 1 on the firebox and the diffie helmen group was set to 2 on the cisco box. I do not know any thing about diffie helmen groups but when I changed the firebox to group 2 it worked fine.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now